Adobe Flash® (Flash) (Adobe Flash is a registered trademark of Adobe Systems Incorporated) is a multimedia and software platform that provides advanced video playback and animation capabilities to developers and can be used to author vector graphics, animations, games and rich internet applications (RIAs). Flash is also frequently used to add streamed video or audio players, advertisement and interactive multimedia content to web pages. For example, Flash files, having a Shockwave Flash or Small Web Format (SWF), are often embedded into webpages to be played by a browser plugin, or are embedded into Adobe® (Adobe is a registered trademark of Adobe Systems Incorporated) Portable Document Format (PDF) files to be played by a copy of a Flash Player included in Adobe's Acrobat Reader software.
As the use of Flash in a variety of applications has increased in recent years, so has the occurrence of malware targeting Flash files. Malicious exploitations of Flash files can be very harmful because even though SWFs are sometimes thought of as pictures, they can carry full applications which can be maliciously manipulated. Despite the increasing occurrence of Flash exploitations and the importance of successful solutions to these attacks, however, there have been very few effective methods of detecting and removing these security risks.
One method currently used for checking to see if a Flash file contains malware is to merely run the code to see what happens. This method is known as runtime code analysis or dynamic code analysis. Dynamic code analysis might be useful when operating in a safe testing environment, where a debugger can track values of variables and trace function calls to give an accurate overview of the application's internal structure, but it is hardly practical for use outside of the testing environment when the code is actually being executed on a device and can cause harm if it includes malware. Moreover, a malicious exploit may be able to recognize that it is being run in a runtime or dynamic code analysis and may not behave maliciously to prevent being identified.
Another process for determining if a Flash file contains malware is through static code analysis during which the file is disassembled and analyzed before being executed. Current methods of static code analysis for detection of malware in Flash files are generally signature-based and rely on a case by case analysis. These methods are generally not efficient or effective and can result in identifying a significant number of false positives. The following disclosure addresses these and other issues.